High severityNVD Advisory· Published Oct 10, 2018· Updated Aug 5, 2024

CVE-2018-8505

Description

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Chakra scripting engine memory corruption in Microsoft Edge allows remote code execution via crafted web content.

Vulnerability

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge and ChakraCore. The vulnerability is triggered when the Chakra scripting engine fails to properly handle objects in memory, leading to corruption. [1][2]

Exploitation

An attacker can host a specially crafted website (or leverage a compromised website) that contains malicious content designed to exploit this vulnerability. The attacker would then need to convince a user to view the website, typically via an email or instant message link. No special privileges or authentication are required; user interaction is limited to visiting the malicious page. [2][4]

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has elevated administrative rights, the attacker could install programs, view, change, or delete data, or create new accounts with full user rights. [1][4]

Mitigation

Microsoft released a security update on October 9, 2018, addressing this vulnerability. Users should install the latest security updates for Microsoft Edge and Windows. ChakraCore, which reached end of life on March 9, 2021, no longer receives security updates; users should migrate away from using it. [2][3]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.ChakraCoreNuGet	< 1.11.2	1.11.2

Affected products

ghsa-coords
pkg:nuget/microsoft.chakracore
Range: < 1.11.2
Microsoft/Chakracorecpe-rescue
Range: ChakraCore
Microsoft/Edgecpe-rescue
Range: Windows 10 Version 1607 for 32-bit Systems

Patches

08f11df45aef

[CVE-2018-8505] Edge - Chakra::TypeConfusion_8_16 JIT - Qihoo 360

https://github.com/chakra-core/ChakraCoreRajat DuaSep 6, 2018via ghsa

commit

2 files changed · +9 −8

lib/Runtime/Language/JavascriptOperators.cpp+6 −1 modified

@@ -4950,13 +4950,18 @@ using namespace Js;
                 }
                 else if (instanceType == TypeIds_NativeIntArray)
                 {
-                    // Only accept tagged int. Also covers case for MissingItem
+                    // Only accept tagged int.
                     if (!TaggedInt::Is(value))
                     {
                         return false;
                     }
                     int32 intValue = 0;
                     if (!MemsetConversion<int32, JavascriptConversion::ToInt32>(value, scriptContext, &intValue))
+                    {
+                        return false;
+                    }
+                     // Special case for missing item
+                    if (SparseArraySegment<int32>::IsMissingItem(&intValue))
                     {
                         return false;
                     }

lib/Runtime/Library/JavascriptArray.cpp+3 −7 modified

@@ -3424,16 +3424,12 @@ using namespace Js;
             {
                 if (TaggedInt::Is(aItem))
                 {
-                    pDestArray->DirectSetItemAt(idxDest, TaggedInt::ToInt32(aItem));
+                    int32 int32Value = TaggedInt::ToInt32(aItem);
+                    Assert(!SparseArraySegment<int32>::IsMissingItem(&int32Value));
+                    pDestArray->DirectSetItemAt(idxDest, int32Value);
                 }
                 else
                 {
-#if DBG
-                    int32 int32Value;
-                    Assert(
-                        JavascriptNumber::TryGetInt32Value(JavascriptNumber::GetValue(aItem), &int32Value) &&
-                        !SparseArraySegment<int32>::IsMissingItem(&int32Value));
-#endif
                     pDestArray->DirectSetItemAt(idxDest, static_cast<int32>(JavascriptNumber::GetValue(aItem)));
                 }
                 ++idxDest;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p37h-rg3w-23wxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-8505ghsaADVISORY
www.securityfocus.com/bid/105468mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1041825mitrevdb-entryx_refsource_SECTRACK
github.com/chakra-core/ChakraCore/commit/08f11df45aef2092ab0117dbd37fcb0cbcd3b280ghsaWEB
github.com/chakra-core/ChakraCore/pull/5764ghsaWEB
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8505ghsax_refsource_CONFIRMWEB
web.archive.org/web/20210419171339/http://www.securityfocus.com/bid/105468ghsaWEB
web.archive.org/web/20210927074321/http://www.securitytracker.com/id/1041825ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.023
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000